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DETAILED ACTION 

Claim Rejections - 35 USC § 101 
1. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

Claims 1-3, 5, 7-9, and 11 are rejected under 35 U.S.C. 101 as not falling within 
one of the four statutory categories of invention. While independent claim 1 recites a 
series of steps or acts to be performed, a statutory "process" under 35 U.S.C. 101 must 
(1) be tied to particular machine, or (2) transform underlying subject matter (such as an 
article or material) to a different state or thing. See page 10 of In Re Bilski 88 USPQ2d 
1385. The instant claims are neither positively tied to a particular machine that 
accomplishes the claimed method steps nor transform underlying subject matter, and 
therefore do not qualify as a statutory process. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

1. Claims 1-3, 5, 13-15, 17, 33-35, 37 and 40 are rejected under 35 U.S.C. 103(a) 
as being unpatentable over See (US 2003/0021283) in view of Gray (US 7,330,832). 
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Regarding claim 1, See describes a distributed network management system of 
controlling usage of network resources on a communication network (abstract, 
individual network device each distributively performing rules/policy management), 
comprising: 

creating one or more packet rules (policy rules) for analyzing packets received at 
one or more network devices of the communications network, each rule including a 
condition and action to be taken as part of providing a service of the communication 
network if a packet received at a device satisfies the condition, wherein one or more 
packet rules are defined to examine any portion of a packet (fig. 4 and para. 35 & 38, for 
translating the network address (portion of packet) upon satisfaction of 1+ conditions); 

storing the one or more packet rules (para, 35, policy rules stored in repository 

table); 

creating one or more service abstractions (policy groups), each service 
abstraction representing a communication network service to be provided to users of 
the communication network, each service abstraction including a [named] set of one or 
more of the packet rules, that in combination provide the represented communication 
network service (para. 35, "According to one embodiment, certain policy rules (in 
combination) are organized into policy groups (service abstractions) based on a rule 
type 52". Policy groups comprising policy rules are used for (represented 
communication network service) network devices, where a network device may be 
computer hosts (user), para. 27); 
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storing the one or more service abstractions (para. 35, policy groups stored in 
repository table); 

host of the communications network (paragraph 27, where network devices may 
be computer hosts, and paragraph 30, "According to one embodiment, the policies 
relevant to a particular network device 24, 26, 28 are selected based on a role assigned 
to the device" and paragraph 35, "A rule type may organize policies into role policies"). 

See fails to describe: 

associating one or more of the service abstractions with the identity of the 
authenticated user of the communication network; 

in response to receipt of a packet at any of the network devices from the 
authenticated user, using the one or more service abstractions associated with the 
identity of the authenticated user to control usage of network resources on the 
communication network, the using including applying the packet rules in the one or 
more service abstraction to the packet. 

Gray describes a service allocation method, suggesting: 

associating one or more of the service abstractions with the identity of the 
authenticated user of the communication network (col. 6, lines 37-39, a function group 
12 (service abstraction) for the user, col. 9, lines 52-57); 

in response to receipt of a packet at any of the network devices from the 
authenticated user, using the one or more service abstractions (col. 6, lines 10-12, a 
user bid request (response) lead to (creating) its mapping of hierarchical abstractions 
comprising task 14 (service abstractions)) associated with the identity of the 
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authenticated user (col. 6, lines 37-39, a task 14 (service abstraction) for the user, col. 
9, lines 52-57) to control usage of network resources on the communication network 
(abstract, for service allocation (network resource control)), the using including applying 
the packet rules in the one or more service abstraction to the packet (fig. 1 & col. 6, 
lines 39-42, each task 14 (service abstraction) consists of multiple physical resources 
(packet rules) to be applied). 

It would have been obvious to one with ordinary skill in the art at the time of 
invention by applicant to specify the role abstraction layer to group the packet rules 
(layer). 

The motivation for combining the teachings is that it yields an efficient use of 
resources (Gray, col. 4, lines 8-11). 

Regarding claim 2, See and Gray combined further describe: 

configuring a network device of the communication network with one or more 
packet rules according to at least one of the service abstraction (Gray, fig. 1 & col. 6, 
lines 39-42, abstract resources 16 (packet rules) comprises (are according to) the tasks 
14 (service abstraction)). 

Regarding claim 3, See already describes logic to configure a port module 
network device of the communications network with one or more packet rules (para. 22, 
network policies (packet rules) are used to disable network ports (modules)). 

See and Gray combined further suggest: 
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the packet rules are according to one of the role abstraction (Gray, fig. 1 & col. 6, 
lines 39-42, abstract resources 16 (packet rules) comprises (are according to) the tasks 
14 (role abstraction)). 

Regarding claim 5, See and Gray combined further describes: 

distributing the one or more service abstractions to one or more network devices 
residing on the communications network (Gray, fig. 1 & col. 6, lines 39-43, the 
architecture model has a function (distribution module) for endowing network devices 18 
regarding its tasks 14 (role abstractions)). 

Regarding claim 13, See describes a system of controlling usage of network 
resources (network manager) on a communication network (abstract, individual network 
device each distributively performing rules/policy management), comprising: 

a rule editing module enabling the network manager (fig. 2, policy console) to edit 
one or more packet rules for analyzing packets received at one or more devices of the 
communication network (fig. 4 and para. 35 & 38, functionality (rule editing module) for 
creating (editing) rules for translating (analyzing) the network address of packets); 

storage means for storing the packet rules (para, 35, policy rules stored in 
repository table); 

See fails to describe: 

a service editing module enabling the network manager to edit one or more 
service abstractions, each service abstraction representing a communication network 
service to be provided to users of the communications network, each service 
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abstraction including a named set of one or more of the packet rules that, in 
combination, provide the represented communications network service; 

a user management module enabling the network manager to associate users of 
the communications network with one or more of the service abstractions. 

Gray describes a service allocation method, suggesting: 

a service editing module enabling the network manager to edit one or more 
service abstractions, each service abstraction representing a communication network 
service to be provided to users of the communications network, each service 
abstraction including a named set of one or more of the packet rules that, in 
combination, provide the represented communications network service (fig. 1 & col. 6, 
lines 39-42, functionality (service editing module) to map each task 14 (service 
abstraction) to multiple physical resources (packet rules) in providing network services); 

a user management module enabling the network manager to associate users of 
the communications network with one or more of the service abstractions (fig. 2 & para. 
25, policy console 20 associates policy rules into policy groups (service abstractions) for 
the network devices comprising users). 

It would have been obvious to one with ordinary skill in the art at the time of 
invention by applicant to specify the role abstraction layer to group the packet rules 
(layer). 

The motivation for combining the teachings is that it yields an efficient use of 
resources (Gray, col. 4, lines 8-11). 

Regarding claim 14, See and Gray combined further describe: 
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configuring a network device of the communication network with one or more 
packet rules according to at least one of the service abstraction (Gray, fig. 1 & col. 6, 
lines 39-42, abstract resources 16 (packet rules) comprises (are according to) the tasks 
14 (service abstraction)). 

Regarding claim 15, See already describes logic to configure a port module 
network device of the communications network with one or more packet rules (para. 22, 
network policies (packet rules) are used to disable network ports (modules)). 

See and Gray combined further suggest: 

the packet rules are according to one of the role abstraction (Gray, fig. 1 & col. 6, 
lines 39-42, abstract resources 16 (packet rules) comprises (are according to) the tasks 
14 (role abstraction)). 

Regarding claim 17, See and Gray combined further describes: 

distributing the one or more service abstractions to one or more network devices 
residing on the communications network (Gray, fig. 1 & col. 6, lines 39-43, the 
architecture model has a function (distribution module) for endowing network devices 18 
regarding its tasks 14 (role abstractions)). 

Regarding claim 33, See describes a system of controlling usage of network 
resources on a communication network (abstract, individual network device each 
distributively performing rules/policy management), comprising: 

a rule editing module to create one or more packet rules for analyzing packets 
received at one or more devices of the communication network (para. 35, function (rule 
editing module) which create policy (packet) rules), each rule including a condition and 



Application/Control Number: 10/071,228 Page 9 

Art Unit: 2416 

action to be taken if a packet received at a device satisfies the condition, wherein the 
one or more packet rules are defined to examine any portion of a packet (fig. 4 and 
para. 35 & 38, for translating the network address (portion of packet) upon satisfaction 
of 1+ conditions); 

storage means for storing one or more created role abstractions or one or more 
created packet rules (para. 53, repository table storing the policy (packet) rules). 
See fails to describe: 

a role editing module to create, in response to a user, one or more role 
abstractions associated with an authenticated user, each role abstraction representing a 
role of an authentication user with respect to the communication network for controlling 
usage of network resources on the communications network by the authenticated user 
and each role abstraction including a set of one or more packet rules. 

Gray describes a multilevel service abstraction (fig. 1), comprising: 
a role editing module to create, in response to a user, one or more role 
abstractions associated with an authenticated user (col. 6, lines 10-12, a user bid 
request (response) lead to (creating) its mapping of hierarchical abstractions), each role 
abstraction representing a role of an authentication user with respect to the 
communication network for controlling usage of network resources on the 
communications network by the authenticated user (col. 6, lines 37-39, a task (role) 
abstraction for the user, col. 9, lines 52-57 for its service allocation (control usage of 
network resources)), and each role abstraction including a set of one or more packet 
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rules (fig. 1 & col. 6, lines 39-42, each task 14 (role abstraction) comprises multiple 
abstract resources 16 (packet rules)); 

It would have been obvious to one with ordinary skill in the art at the time of 
invention by applicant to specify the role abstraction layer to group the packet rules 
(layer). 

The motivation for combining the teachings is that it yields an efficient use of 
resources (Gray, col. 4, lines 8-11). 

Regarding claim 34, See already describes logic to configure a port module 
network device of the communications network with one or more packet rules (para. 22, 
network policies (packet rules) are used to disable network ports (modules)). 

See and Gray combined further suggest: 

See and Gray combined further describe: 

the packet rules are according to one of the role abstraction (Gray, fig. 1 & col. 6, 
lines 39-42, abstract resources 16 (packet rules) comprises (are according to) the tasks 
14 (role abstraction)). 

Regarding claim 35, See already describes: port configuration logic to 
configure a port module of a switching device with one or more packet rules (para. 22, 
network policies (packet rules) are used to disable network ports). 

See and Gray combined further describe: 

the packet rules are according to one of the role abstraction (Gray, fig. 1 & col. 6, 
lines 39-42, abstract resources 16 (packet rules) comprises (are according to) the tasks 
14 (role abstraction)). 



Application/Control Number: 1 0/071 ,228 Page 1 1 

Art Unit: 2416 

Regarding claim 37, See and Gray combined further suggest: 

a distribution module to distribute one or more role abstractions to one or more 
network devices residing on the communications network (Gray, fig. 1 & col. 6, lines 39- 
43, the architecture model has a function (distribution module) for endowing network 
devices 18 regarding its tasks 14 (role abstractions)). 

Regarding claim 40, See describes a method of controlling usage of network 
resources on a communication network (abstract, individual network device each 
distributively performing rules/policy management), comprising: 

creating one or more packet rules (para. 35, policy rules) for analyzing packets 
received at one or more devices of the communication network, each rule including a 
condition and action to be taken if a packet received at a device satisfies the condition, 
wherein the one or more packet rules are defined to examine any portion of a packet 
(fig. 4 and para. 35 & 38, for translating the network address (portion of packet) upon 
satisfaction of 1+ conditions); 

storage means for storing one or more created packet rules (para. 53, repository 
table storing the policy (packet) rules); 

See lacks describing: 

a computer program product to perform the above-mentioned system, 
comprising a computer readable medium and computer readable signals stored on the 
computer readable medium that define instructions that, as a result of being executed 
by a computer, instruct the computer to perform the process. 
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in response to a user, creating one or more role abstractions associated with an 
authenticated user each role abstraction representing a role of a user with respect to the 
communications network, and each role abstraction including a set of one more packet 
rules. 

Gray describes: 

a computer program product to perform the above-mentioned system, comprising 
a computer readable medium and computer readable signals stored on the computer 
readable medium that define instructions that, as a result of being executed by a 
computer, instruct the computer to perform the process (col. 6, lines 48-49). 

in response to a user, creating one or more role abstractions associated with an 
authenticated user (col. 6, lines 10-12, an (authenticated) user bid request (response) 
lead to (creating) its mapping of hierarchical abstractions), each role abstraction 
representing a role of a user with respect to the communications network (col. 6, lines 
37-39, a task (role) abstraction for the user, col. 9, lines 52-57), and each role 
abstraction including a set of one more packet rules (fig. 1 & col. 6, lines 39-42, each 
task 14 (role abstraction) consists of multiple physical resources (packet rules)). 

It would have been obvious to one with ordinary skill in the art at the time of 
invention by applicant to specify the role abstraction layer to group the packet rules 
(layer). The motivation for combining the teachings is that it yields an efficient use of 
resources (Gray, col. 4, lines 8-11). 
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Claim 26 is a computer readable medium claim where its limitations are all 
described in method claim 1 . Hence, it is rejected under the same rationale. 

Claims 27-29 & 31 are method claims which comprise limitations of system 
claims 33-35 & 37 respectfully. Hence, they are rejected under the same rationale. 

Allowable Subject Matter 
2. Claims 7-9, 11 and 19-21 and 23 are objected to as being dependent upon a 
rejected base claim, but would be allowable if rewritten in independent form including all 
of the limitations of the base claim and any intervening claims. 

The prior art fails to describe a network resource usage control method, further 
comprising: 

further creating one or more role abstraction, wherein the act of associating one 
or more service abstractions with the identity of the authenticated user includes 
associating the identity of the authenticated user with one or more role abstractions. 

Claims 13-15, 17, 19-21 and 23 allowed. 

The following is an examiner's statement of reasons for allowance: 
The prior art fails to describe a network resource usage control system, further 
comprising: 

each service abstraction representing a communications network service to 
provide to users within the network, each service abstraction including a named set of 
one or more of the packet rules, in combination, provide the represented communication 
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network service, and a user management module to associate network users with the 
one or more service abstractions. 

The closest prior art is Gray (US 7,330,832) which describes service allocation 
for a plural of entities which produces a mapping of concepts from the highest level of 
abstraction to the lowest - see fig. 1 . 

Any comments considered necessary by applicant must be submitted no later 
than the payment of the issue fee and, to avoid processing delays, should preferably 
accompany the issue fee. Such submissions should be clearly labeled "Comments on 
Statement of Reasons for Allowance." 

Response to Arguments 

3. Applicant's arguments with respect to claims 1 -3, 5, 1 3-1 5, 1 7, 26-29, 31 , 33-35, 
37 and 40 have been considered but are moot in view of the new ground(s) of rejection. 



Conclusion 

4. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure: Buchanan (US 2002/0191541) describing system and method 
for topology constrained routing policy provisioning, and Kenny (US 2002/0122422) 
describing a central policy manager. 

Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See M PEP 
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§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to WARNER WONG whose telephone number is (571) 
272-8197. The examiner can normally be reached on 6:30AM - 3:00PM, M-F. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Chi Pham can be reached on (571) 272-3179. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Chi H Pham/ 

Supervisory Patent Examiner, Art 
Unit 2416 

/W. W./ 

Examiner, Art Unit 2416 



